b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                        Corrective Actions to Address the\n                      Disaster Recovery Material Weakness\n                              Are Being Completed\n\n\n\n                                           June 27, 2011\n\n                                Report Number: 2011-20-060\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nCORRECTIVE ACTIONS TO ADDRESS                         WHAT TIGTA FOUND\nTHE DISASTER RECOVERY MATERIAL\n                                                      Corrective actions for addressing the disaster\nWEAKNESS ARE BEING COMPLETED                          recovery material weakness are being\n                                                      adequately completed for six of the seven\n\nHighlights                                            components. The IRS 1) created two disaster\n                                                      recovery Internal Revenue Manuals,\n                                                      2) developed a disaster recovery training\nFinal Report issued on June 27, 2011                  curriculum, 3) prioritized the recovery order of its\n                                                      systems based on the criticality of the business\nHighlights of Reference Number: 2011-20-060           processes the systems supported, 4) is creating\nto the Internal Revenue Service Chief                 a program for performing reviews of its disaster\nTechnology Officer.                                   recovery efforts and activities, 5) prepared,\n                                                      exercised, and tested disaster recovery plans for\nIMPACT ON TAXPAYERS\n                                                      all of its systems, and 6) performs ongoing\nDisaster recovery planning is a coordinated           analyses of its recovery capabilities to identify\nstrategy involving plans, procedures, and             gaps in its ability to meet business recovery\ntechnical measures that enable the recovery of        requirements and to prioritize corrective actions.\ninformation systems, computer operations, and\n                                                      During the course of the audit, TIGTA auditors\ndata after a disruption. The Internal Revenue\n                                                      recommended several changes to the corrective\nService (IRS) is completing corrective actions to\n                                                      actions that the IRS completed, or was in the\naddress a material weakness in its disaster\n                                                      process of completing, prior to issuance of this\nrecovery capabilities. Effective disaster\n                                                      report. Two items remain outstanding. The IRS\nrecovery capabilities are critical to ensuring that\n                                                      does not have 1) a system for tracking whether\nthe IRS\xe2\x80\x99s key information systems can be\n                                                      employees with disaster recovery roles attend\nrecovered with minimal disruption to service. In\n                                                      required annual training and 2) adequate metrics\naddition to the IRS needing these systems to\n                                                      to assess progress and track improvements in\nadminister the Nation\xe2\x80\x99s tax system, data and\n                                                      completing the corrective actions.\nservices provided by these systems are needed\nby Congress, the Department of the Treasury,          WHAT TIGTA RECOMMENDED\ntax professionals, taxpayers, and other\nGovernment agencies.                                  TIGTA recommended that the Chief Technology\n                                                      Officer ensure that the IRS develops 1) the\nWHY TIGTA DID THE AUDIT                               capability to track the disaster recovery training\n                                                      of employees with disaster recovery roles and\nThe IRS requested that TIGTA evaluate the\n                                                      responsibilities and 2) metrics specifically\ncorrective actions for addressing its disaster\n                                                      designed to assess progress and track\nrecovery material weakness. In March 2005, the\n                                                      improvements in completing the disaster\nIRS declared its disaster recovery program a\n                                                      recovery corrective actions.\nmaterial weakness in accordance with the\nFederal Managers\xe2\x80\x99 Financial Integrity Act of          In its response to the report, the IRS agreed with\n1982. The IRS prepared a corrective action plan       TIGTA\xe2\x80\x99s recommendations. The IRS plans to\nthat divided the material weakness into seven         1) develop a formal process and monitoring\ncomponents and contained corrective actions for       system to track the completion of disaster\neach of these components. The last of the             recovery training by employees who have\ncorrective actions is scheduled to be completed       disaster recovery roles and responsibilities and\nin December 2011. The objective of the audit          2) design metrics to assess the progress of the\nwas to evaluate the IRS\xe2\x80\x99s progress in                 disaster recovery program.\ncompleting its corrective actions for addressing\nthe disaster recovery material weakness.\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                       WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 June 27, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Corrective Actions to Address the Disaster\n                              Recovery Material Weakness Are Being Completed\n                              (Audit # 201020024)\n\n This report presents the results of our review of the Cybersecurity organization\xe2\x80\x99s1 disaster\n recovery activities. The overall objective was to evaluate the Internal Revenue Service\xe2\x80\x99s (IRS)\n corrective actions for addressing its disaster recovery material weakness.2 This review was\n requested by the Cybersecurity organization. This review also addresses the major management\n challenge of Security of the IRS and is part of our statutory requirements to annually review the\n adequacy and security of IRS technology. Management\xe2\x80\x99s complete response to the draft report\n is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\n\n\n\n 1\n  See Appendix V for a glossary of terms.\n 2\n  In March 2005, the IRS declared its disaster recovery program a material weakness in accordance with the Federal\n Managers\xe2\x80\x99 Financial Integrity Act of 1982.\n\x0c                                Corrective Actions to Address the Disaster Recovery\n                                      Material Weakness Are Being Completed\n\n\n\n\n                                              Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Corrective Actions Are Being Adequately Completed for Six of the\n          Seven Components of the Disaster Recovery Material Weakness ............... Page 5\n                    Recommendation 1:........................................................ Page 13\n\n          Improvements Are Needed in the Corrective Actions for the Metrics\n          Component of the Disaster Recovery Material Weakness ........................... Page 14\n                    Recommendation 2:........................................................ Page 16\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 17\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 20\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 21\n          Appendix IV \xe2\x80\x93 National Institute of Standards and Technology\n          Publications ................................................................................................... Page 22\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 23\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 26\n\x0c        Corrective Actions to Address the Disaster Recovery\n              Material Weakness Are Being Completed\n\n\n\n\n                  Abbreviations\n\nECC         Enterprise Computing Center\nIRS         Internal Revenue Service\nIT          Information Technology\nITDRO       Information Technology Disaster Recovery Organization\nMITS        Modernization and Information Technology Services\nNIST        National Institute of Standards and Technology\nSP          Special Publication\nTSCC        Toolkit Suite With Command Centre\n\x0c                           Corrective Actions to Address the Disaster Recovery\n                                 Material Weakness Are Being Completed\n\n\n\n\n                                              Background\n\nTo carry out its mission, the Internal Revenue Service (IRS) is heavily dependent on an extensive\nnetwork of computer systems spread across the country. During Fiscal Year 2009, the IRS\nreported that its computer systems processed more than 236 million returns, provided nearly\n127 million refunds, collected more than $2.3 trillion, received more than 296 million visits to its\nweb sites, and received about 95 million electronically filed individual income tax returns. In\naddition to the IRS needing these systems, data and services provided by the systems are also\nneeded by Congress, the Department of the Treasury, tax professionals, taxpayers, and other\nGovernment agencies. During Fiscal Year 2010, the IRS reported that its computer network\ncontains about 131,000 workstations, 4,500 infrastructure and application servers, 310 midrange\nservers, and 18 mainframe computers.\nSignificant events such as the terrorist attacks on September 11, 2001, and Hurricane Katrina in\nAugust 2005 emphasize the need for organizations to have plans in place that will ensure\nessential operations can continue during a wide range of emergencies. Attacks and threats\nagainst IRS employees and facilities have risen steadily in recent years, highlighted by the\nFebruary 2010 attack on an IRS facility in Austin, Texas. Disaster recovery is an organization\xe2\x80\x99s\nability to respond to a disruption in services by implementing a plan to restore critical business\nfunctions within the stated disaster recovery goals. It is a coordinated strategy involving plans,\nprocedures, and technical measures that enable the recovery of information systems, computer\noperations, and data. Disaster recovery plans1 define the resources, actions, tasks, and data\nrequired to recover information systems. Effective disaster recovery capabilities are critical to\nensuring that the IRS\xe2\x80\x99s key information systems needed to ensure the continuation of the\nNation\xe2\x80\x99s tax system can be recovered with minimal disruption to service.\nFederal disaster recovery requirements exist on several levels. The Federal Information Security\nManagement Act of 20022 requires that Federal agencies develop, document, and implement an\nagency-wide information security program that includes plans and procedures to ensure\ncontinuity of operations for information systems that support the operations and assets of the\nagency. The Office of Management and Budget requires agencies to ensure that disaster\nrecovery planning capabilities are in place and to provide for continuity of support and disaster\nrecovery planning for their computer systems. Pursuant to its responsibilities under the Federal\nInformation Security Management Act, the National Institute of Standards and Technology\n(NIST) issues guidance that requires agencies to develop and maintain a disaster recovery\n\n\n1\n  Information technology disaster recovery planning is also referred to as contingency planning. Because\nuniversally accepted definitions are not available, throughout this report we used the term disaster recovery.\n2\n  44 U.S.C. \xc2\xa7\xc2\xa7 3541 \xe2\x80\x93 3549.\n                                                                                                                 Page 1\n\x0c                            Corrective Actions to Address the Disaster Recovery\n                                  Material Weakness Are Being Completed\n\n\n\nprogram for their information systems to ensure that measures are in place to recover systems\nafter a disruption. NIST guidance outlines the process for developing and maintaining effective\ndisaster recovery plans. The Department of the Treasury requires bureaus to develop and\nimplement a robust, cost-effective Information Technology (IT) security program that includes\ndisaster recovery planning.\nExamples of the key components that make up disaster recovery programs include 1) assessing\nthe criticality and sensitivity of computerized operations and identification of supporting\nresources, such as developing a business impact analysis; 2) taking steps to prevent and\nminimize potential damage and interruption, such as establishing data backup processes;\n3) developing comprehensive disaster recovery plans; 4) conducting periodic testing of disaster\nrecovery plans; and 5) maintaining disaster recovery plans to keep them up to date.\nIn response to an audit recommendation made by the Treasury Inspector General for Tax\nAdministration, the IRS, in March 2005, declared its disaster recovery program a material\nweakness in accordance with the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.3 To\nremediate this weakness, a Disaster Recovery Program Director was appointed in late\nCalendar Year 2005, and in October 2006 the IRS added disaster recovery into its overall\nComputer Security Material Weakness Plan. In October 2007, the IRS formed the Information\nTechnology Disaster Recovery Organization (ITDRO) within the Modernization and Information\nTechnology Services (MITS) organization\xe2\x80\x99s Cybersecurity office. The new office was formed to\nserve as a single focal point to provide oversight, accountability, and responsibility for\ndeveloping and maintaining the IRS\xe2\x80\x99s enterprise disaster recovery strategy and for bridging the\ngap between business owners and IT operational staff. The office has a staff of about\n50 employees. In Fiscal Year 2010, the MITS organization initiated a reorganization that will\nreassign the responsibilities of the ITDRO to two divisions within the Cybersecurity\norganization.\nThis review was performed at the ITDRO offices in Chamblee, Georgia, during the period\nJune 2010 through March 2011. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n3\n    31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000).\n                                                                                            Page 2\n\x0c                           Corrective Actions to Address the Disaster Recovery\n                                 Material Weakness Are Being Completed\n\n\n\n\n                                      Results of Review\n\nAs part of its disaster recovery remediation efforts, the ITDRO reported the following major\nprogram enhancements from Fiscal Year 2008 through Fiscal Year 2010:\n    \xe2\x80\xa2    Created two disaster recovery Internal Revenue Manuals.\n    \xe2\x80\xa2    Developed a disaster recovery training curriculum, conducted outreach and awareness\n         sessions, and published disaster recovery articles.\n    \xe2\x80\xa2    Completed an enterprise business impact analysis that evaluated more than 600 business\n         processes.\n    \xe2\x80\xa2    Established application recovery priorities based on critical business processes4 and\n         operational impacts.\n    \xe2\x80\xa2    Performed indepth assessments and gap analyses of business processes and enterprise\n         disaster recovery capabilities.\n    \xe2\x80\xa2    Developed disaster recovery plans for 161 applications and 23 general support systems.\n    \xe2\x80\xa2    Updated all disaster recovery plans.\n    \xe2\x80\xa2    Performed more than 400 disaster recovery tests and exercises.\n    \xe2\x80\xa2    Established a documented and repeatable disaster recovery testing process including\n         expectations, requirements, and templates.\n    \xe2\x80\xa2    Tested disaster recovery plans for critical applications based on Department of the\n         Treasury and NIST requirements.\n    \xe2\x80\xa2    Was provided funding specifically for improving the IRS\xe2\x80\x99s disaster recovery capabilities\n         in Fiscal Years 2010 and 2011.\nFigure 1 describes the corrective actions for the seven components that comprise the disaster\nrecovery material weakness. The ITDRO is responsible for managing the completion of these\ncorrective actions.\n\n\n\n\n4\n The IRS identified 18 critical business processes, such as processing remittances and processing tax returns, and\ndetermined the critical business processes that each of its systems support.\n                                                                                                             Page 3\n\x0c                         Corrective Actions to Address the Disaster Recovery\n                               Material Weakness Are Being Completed\n\n\n\n                    Figure 1: Disaster Recovery Material Weakness\n                         Components and Corrective Actions\n\n  Components                                   Corrective Actions                                     Status\nPolicy              1.    Develop and maintain an enterprise-wide Disaster Recovery Internal         Completed\n                          Revenue Manual specifically addressing business impact analysis,            10/1/08\n                          testing, exercise, and plan development guidance and templates.\n                    2.    Conduct outreach and awareness sessions to ensure the Internal\n                          Revenue Manual is incorporated into day-to-day operations.\n                    3.    Develop an enterprise-wide disaster recovery course curriculum.\nBusiness Impact     1.    Develop and maintain a prioritized list of critical IT systems that        Completed\nAnalysis                  support critical business processes and establish site-based restoration    10/1/08\n                          priority documents.\n                    2.    Conduct gap analyses surrounding the ability to restore via the critical\n                          business process.\n                    3.    Develop an analysis comparing the recovery time objective and\n                          recovery point objective of both the MITS organization and Business\n                          Operating Divisions.\n                    4.    Develop an infrastructure spend plan based on the analyses mentioned\n                          above.\nDisaster Recovery   1.    Complete internal auditing of the disaster recovery efforts to ensure      Due Date\nCompliance                accuracy and completeness as it relates to day-to-day operations and        7/1/11\n                          efforts to mitigate the material weaknesses and audits.\nDisaster Recovery   1.    Develop and maintain disaster recovery plans associated with general       Completed\nPlans                     support systems, to include all components that support critical            12/28/10\n                          applications.\n                    2.    Establish and maintain data and processing backup-recovery\n                          capabilities and ensure maximum allowable outage times meet the\n                          recovery time objectives of the applications being supported.\nDisaster Recovery   1.    Develop baseline expectations, requirements, and templates for             Completed\nPlan Test and             disaster recovery plans and for disaster recovery plan tests and            10/1/08\nExercise                  exercises.\n                    2.    Identify roles and responsibilities of the MITS organization and\n                          Business Operating Divisions involved in the testing.\n                    3.    Identify the frequency and type of testing required and reporting\n                          requirements.\n                    4.    Conduct tabletop, functional, and end-to-end disaster recovery testing\n                          for critical applications based upon direction from the Department of\n                          the Treasury and the Federal Information Security Management Act.\n\n\n\n                                                                                                        Page 4\n\x0c                             Corrective Actions to Address the Disaster Recovery\n                                   Material Weakness Are Being Completed\n\n\n\n\n   Components                                      Corrective Actions                                  Status\n Technical              1.    Perform annual system risk assessments.                                  Due Date\n Assessment                                                                                             7/31/11\n                        2.    Develop a true redundancy and resiliency analysis. Based on the\n                              critical business processes, develop a site-based restoration\n                              vulnerabilities analysis.\n                        3.    Create a recovery point objective and recovery time objective analysis\n                              and gain concurrence from both the Business Operating Divisions and\n                              the MITS organization.\n                        4.    Incorporate a technical assessment tool that will provide an\n                              infrastructure impact analysis in the event of a disaster.\n Material Weakness      Establish and maintain collection and reporting of metrics to assess           Due Date\n Area Metrics           progress and track improvements in all component activity                      12/31/11\n                        implementations over time.\n\nSource: The IRS Computer Security Material Weakness Plan for Fiscal Year 2010.\n\n Corrective Actions Are Being Adequately Completed for Six of the\n Seven Components of the Disaster Recovery Material Weakness\n The IRS is adequately completing corrective actions for the 1) Policy, 2) Business Impact\n Analysis, 3) Disaster Recovery Compliance, 4) Disaster Recovery Plans, 5) Disaster Recovery\n Plan Test and Exercise, and 6) Technical Assessment components of the disaster recovery\n material weakness.\n\n Corrective actions for the Policy component are being adequately completed\n The Policy component contained three corrective actions that the IRS closed in October 2008.\n The three corrective actions are being adequately completed except for one remaining item in the\n third corrective action below.\n Corrective Action 1 \xe2\x80\x93 Develop and maintain an enterprise-wide Disaster Recovery Internal\n Revenue Manual specifically addressing business impact analysis, testing, exercise, and plan\n development guidance and templates.\n Disaster Recovery Internal Revenue Manual 10.8.60, Information Technology Disaster Recovery\n Policy and Guidance; Interim Disaster Recovery Internal Revenue Manual 10.8.62, Information\n Technology Contingency Plan and Disaster Recovery Testing, Training and Exercise Program;\n and IRS application and general support system disaster recovery plan templates were complete\n\n\n\n\n                                                                                                          Page 5\n\x0c                             Corrective Actions to Address the Disaster Recovery\n                                   Material Weakness Are Being Completed\n\n\n\nand consistent with NIST Special Publication (SP) 800-34,5 NIST SP 800-84, and Treasury\nDirective Publication 85-01, Treasury Information Technology Security Program.\nCorrective Action 2 \xe2\x80\x93 Conduct outreach and awareness sessions to ensure the Internal Revenue\nManual is incorporated into day-to-day operations.\nThe ITDRO used several methods to conduct disaster recovery outreach and awareness. They\nmade presentations at each of the campuses and computing centers, distributed brochures and\nposters during these visits, and published articles in several different IRS electronic newsletters.\nThe outreach and awareness methods used by the IRS and the disaster recovery topics presented\nwere complete and consistent with outreach and awareness methods and disaster recovery\nprocesses recommended by guidance in NIST SP 800-34 and NIST SP 800-50.\nCorrective Action 3 \xe2\x80\x93 Develop an enterprise-wide disaster recovery course curriculum.\nThe IRS has a curriculum consisting of about 30 disaster recovery training courses that cover the\nvarious aspects of disaster recovery. These courses adequately covered disaster recovery topics\nappearing in NIST SP 800-34 and in the IRS disaster recovery material weakness plan. Course\nreviews prepared by attendees did not indicate any concerns with the content of the courses. The\nIRS training delivery methods were consistent with methods suggested in NIST SP 800-50.\nHowever, the ITDRO is not able to track whether employees with disaster recovery roles attend\nrequired annual disaster recovery training. NIST SP 800-34 requires that employees with\ndisaster recovery roles be trained annually. The IRS disaster recovery manual requires\nemployees with disaster recovery responsibilities to attend annual disaster recovery training.\nThe IRS\xe2\x80\x99s electronic training system tracks each employee\xe2\x80\x99s training, but it does not track\nwhether employees have disaster recovery roles and attended disaster recovery training. The\nITDRO told us that they were aware of the need to track the training of employees with disaster\nrecovery roles and that the development of a tracking capability is included in their recently\nfunded training plan. Until this capability is implemented, the IRS will not be able to ensure that\nemployees are attending required annual disaster recovery training.\nManagement Action: During the course of the audit, we recommended to the ITDRO several\nchanges to the first and third corrective actions, which it completed or was in the process of\ncompleting prior to us issuing this report.\n\nCorrective actions for the Business Impact Analysis component were adequately\ncompleted\nThe Business Impact Analysis component contained four corrective actions that the IRS closed\nin October 2008. All four corrective actions were adequately completed. A business impact\nassessment is an ongoing activity within a disaster recovery organization, and business impact\n\n5\n    The titles of NIST publications are shown in Appendix IV.\n                                                                                              Page 6\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nanalysis results are continuously updated and refined. The IRS has developed a repeatable\nbusiness impact analysis process that provides updated and current information on the impacts of\na disaster or disruption. In October 2008, the ITDRO reported the results of its initial business\nimpact analysis efforts. The ITDRO expects to complete an updated business impact analysis\nreport in June 2011.\nCorrective Action 1 \xe2\x80\x93 Develop and maintain a prioritized list of critical IT systems that support\ncritical business processes and establish site-based restoration priority documents.\nThe ITDRO established and maintained a prioritized list of systems that support critical business\nprocesses and established site-based restoration priority documents in accordance with business\nimpact analysis guidance recommended by NIST SP 800-34. To begin the process of creating a\nprioritized list of applications, the ITDRO identified 18 critical business processes and\ndetermined the critical business processes each application supported. The ITDRO then\ndeveloped a methodology for scoring each application. The scoring system assigned points to\neach critical business process and to each application\xe2\x80\x99s recovery time objective. The more\nimportant critical business processes and the more time-critical recovery time objectives were\nassigned more points than those deemed less critical. The result ranked applications in order,\nstarting with those with the most significant impact (highest scores) to those with the least\nimpact (lowest scores).\nCorrective Action 2 \xe2\x80\x93 Conduct gap analyses surrounding the ability to restore via the critical\nbusiness processes.\nThe ITDRO performed an analysis of application actual recovery times and the actual restoration\ntimes of the critical business processes those applications support. The analysis was limited to\n62 applications residing at the IRS\xe2\x80\x99s three computing centers. Application recovery timeline\ndiagrams have been prepared measuring the ability to recover the applications and restore the\ncritical business processes supported by those applications. The results of the analysis were\npresented in terms of recovery situation assessments by computing center, application, and\ncritical business process. Analysis updates following infrastructure upgrades have shown a\nsteady reduction in restoration times of critical business processes. For example, the analysis\nindicates that the restoration time of the processing tax returns critical business process has been\nreduced from about 60 days to between 5 and 7 days. While these analyses have been conducted\nfor the 62 applications at the three computing centers, future analyses will include approximately\n100 remaining applications that support critical business processes.\nCorrective Action 3 \xe2\x80\x93 Develop an analysis comparing the recovery time objective and recovery\npoint objective of both the MITS organization and Business Operating Divisions.\nThe IRS\xe2\x80\x99s business impact analysis included an analysis to identify gaps between the recovery\ntime objectives of applications owned by the Business Operating Divisions and the recovery time\nobjectives of the MITS infrastructure. The purpose of the analysis was to determine whether\ncurrent MITS organization recovery strategies address Business Operating Division requirements\n\n                                                                                             Page 7\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nfor application recovery. Each application underwent this analysis to produce a summary of\npotential gaps in the IRS\xe2\x80\x99s ability to recover applications within their stated time objectives. The\nanalysis compared the recovery time objective of applications to the recovery time objective of\nthe primary general support system in which the application resides. If the recovery time\nobjective of the general support system was not sufficient to recover the application within its\nrecovery time objective, a potential gap was identified. Highlighting potential gaps between\nrequirements driven by Business Operating Division application recovery times and general\nsupport system recovery times can enable both the Business Operating Divisions and the\nMITS organization to prioritize and address deficiencies in disaster recovery capabilities. The\ngap analysis revealed significant deficiencies in the IRS\xe2\x80\x99s ability to quickly recover even the\nmost critical tax processing systems. As of October 2008, gaps of 60 days or more were\nidentified for some systems. Other gaps showed that some systems could not be recovered at all\nat an offsite location.\nSince the initial gap analysis results in October 2008, the ITDRO has undertaken efforts to close\nthe gaps between the Business Operating Division and MITS organization recovery time\nobjectives. Under the Technical Assessment corrective action, the ITDRO continues to assess\nthe IRS\xe2\x80\x99s IT infrastructure to identify, prioritize, and implement improvements in capacity and\nequipment in an effort to improve disaster recovery capabilities and shorten recovery times for\napplications and critical business processes. The ITDRO is currently conducting a Disaster\nRecovery Capabilities Analysis to determine the actual impacts of general support system\nfailures on the applications that support the critical business processes. This analysis will\nprovide information of the effect on the business operation if any part of the supporting systems\nis disrupted. Once the analysis is complete in June 2011, the results will be presented to the\nBusiness Operating Divisions, which will use the information to adjust their application recovery\ntime objectives or provide resources to improve disaster recovery capabilities for the systems\nthat support their applications and business operations.\nCorrective Action 4 \xe2\x80\x93 Develop an infrastructure spend plan based on the analyses mentioned\nabove.\nInformation about recovery capabilities identified in the gap analyses formed the basis for the\ninfrastructure spend plan. The ITDRO identified short-term infrastructure needs to address\nmainframe enhancements to improve recovery times of applications that support the most critical\nreturns and remittance processing business processes. In Fiscal Year 2010, for the first time,\nfunding was provided specifically for improving the IRS\xe2\x80\x99s disaster recovery capabilities. Of a\n$9 million allotment, $5 million was expended in Fiscal Year 2010 for procuring equipment and\nstorage capacity to improve recovery times of the most critical mainframe core tax processing\nsystems. The remaining $4 million will carry over to Fiscal Year 2011. For Fiscal Year 2011,\nan additional $9 million has been approved for additional improvements that will go beyond\nmainframe improvements to include disaster recovery improvements for applications that\n\n\n                                                                                             Page 8\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nprovide overall support to operational functions. The IRS\xe2\x80\x99s Fiscal Year 2012 Budget Request\nincludes $12 million to make further improvements in the IRS\xe2\x80\x99s disaster recovery capabilities.\n\nCorrective actions for the Disaster Recovery Compliance component are being\nadequately completed\nThe IRS is in the process of completing its corrective actions for the Disaster Recovery\nCompliance component and expects to close it by July 2011. The corrective actions the IRS\ncompleted during the time of our audit fieldwork are being adequately completed.\nCorrective Action 1 \xe2\x80\x93 Complete internal auditing of the disaster recovery efforts to ensure\naccuracy and completeness as it relates to day-to-day operations and efforts to mitigate the\nmaterial weaknesses and audits.\nThe ITDRO developed a manual that provides guidance, procedures, and methodology for\nperforming compliance reviews and audits that verify and validate whether disaster recovery\nplanning processes and activities comply with requirements. The manual contains auditing\nprocedures broken down into the following seven sections:\n   \xe2\x80\xa2   Initiate and plan the program.\n   \xe2\x80\xa2   Gather data for the project.\n   \xe2\x80\xa2   Prepare for the compliance review.\n   \xe2\x80\xa2   Conduct the compliance review.\n   \xe2\x80\xa2   Consolidate findings for the draft report.\n   \xe2\x80\xa2   Issue final report.\n   \xe2\x80\xa2   Follow up.\nThe manual was generally complete and consistent with guidance recommended in\nNIST SP 800-115 and contained in the Treasury Inspector General for Tax Administration audit\nmanual.\nManagement Action: During the course of the audit, we recommended to the ITDRO several\nchanges to its corrective actions which it was in the process of completing prior to us issuing this\nreport.\n\nCorrective actions for the Disaster Recovery Plans component were adequately\ncompleted\nThe Disaster Recovery Plans component contained two corrective actions that the IRS closed in\nDecember 2010.\n\n\n                                                                                               Page 9\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nCorrective Action 1 \xe2\x80\x93 Develop and maintain disaster recovery plans associated with general\nsupport systems, to include all components that support critical applications.\nThe ITDRO created a template for preparing application disaster recovery plans and another\ntemplate for preparing general support system disaster recovery plans. The templates were\ncomplete and consistent with requirements in NIST SP 800-34.\nThe IRS has developed procedures for preparing disaster recovery plans, has prepared disaster\nrecovery plans for all of its systems, and reviews and updates them on an annual basis as\nrequired by NIST SP 800-34.\nCorrective Action 2 \xe2\x80\x93 Establish and maintain data and processing backup-recovery capabilities\nand ensure maximum allowable outage times meet the recovery time objectives of the\napplications being supported.\nThe IRS has a process in place whereby the ITDRO works with system owners to establish the\nsystems\xe2\x80\x99 recovery time objectives, review the recovery processes, and identify system upgrades\nthat can decrease actual recovery times. The process is consistent with the contingency planning\nprocess steps in NIST SP 800-34. The disaster recovery plan templates for applications and\ngeneral support systems contain a section that requires insertion of the system recovery time\nobjectives. IRS forms used to update disaster recovery plans ask for updated recovery time\nobjectives. The Disaster Recovery Test Plan has a section that analyzes and compares actual\nrecovery times of the systems included in the test to their recovery time objectives.\nThe IRS has recently installed system upgrades that reduced the recovery time objectives for\ncertain applications from as much as 30\xe2\x80\x9360 days to 5\xe2\x80\x937 days. However, this still exceeds\nrecovery time objectives that range, depending on the application, from 12 to 36 hours. The\nIRS\xe2\x80\x99s efforts to address these gaps are covered in this report in the Business Impact Analysis and\nthe Technical Assessment component sections.\n\nCorrective actions for the Disaster Recovery Plan Test and Exercise component\nwere adequately completed\nThe Disaster Recovery Plan Test and Exercise component contained four corrective actions that\nthe IRS closed in October 2008.\nCorrective Action 1 \xe2\x80\x93 Develop baseline expectations, requirements, and templates for disaster\nrecovery plans and disaster recovery plan tests and exercises.\nDisaster recovery policies and procedures, disaster recovery plan preparation guidance, and\ntesting and exercising guidance in 1) Internal Revenue Manual 10.8.60, 2) Interim Internal\nRevenue Manual 10.8.62, 3) IRS application and general support system disaster recovery plan\ntemplates, and 4) IRS exercising and testing templates were complete and consistent with\nNIST SP 800-34, NIST SP 800-53, NIST SP 800-84, and Treasury Directive Publication 85-01\nrequirements.\n\n                                                                                          Page 10\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nCorrective Action 2 \xe2\x80\x93 Identify roles and responsibilities of the MITS organization and Business\nOperating Divisions involved in the testing.\nWe reviewed all disaster recovery roles and responsibilities defined in IRS disaster recovery\nmanuals and in the roles and responsibilities manual, not just roles and responsibilities for\ndisaster recovery testing, and found that they were generally complete and consistent with\nNIST SP 800-12, NIST SP 800-16, NIST SP 800-34, NIST SP 800-37, and Treasury Directive\nPublication 85-01 requirements.\nCorrective Action 3 \xe2\x80\x93 Identify the frequency and type of testing required and reporting\nrequirements.\nTesting frequency, type of tests required, and reporting requirements defined in IRS disaster\nrecovery manuals were complete and consistent with NIST SP 800-34, NIST SP 800-53,\nNIST SP 800-84, and Treasury Directive Publication 85-01 requirements. For systems whose\nlack of availability would have only a limited adverse impact on the organization, the IRS\nrequires that some of these systems receive a higher level of testing than is required by NIST and\nthe Department of the Treasury requirements.\nCorrective Action 4 \xe2\x80\x93 Conduct tabletop, functional, and end-to-end disaster recovery testing for\ncritical applications based upon direction from the Department of the Treasury and the Federal\nInformation Security Management Act.\nBecause the IRS closed this corrective action in October 2008, we reviewed disaster recovery\nexercising and testing during the Federal Information Security Management Act\xe2\x80\x99s 2008 reporting\ncycle and found that all systems received the levels of testing required by NIST SP 800-34,\nNIST SP 800-53, NIST SP 800-84, and Treasury Directive Publication 85-01 requirements,\nwhereby systems whose lack of availability would have a more serious impact on the\norganization received more extensive testing.\nManagement Action: During the course of the audit, we recommended to the ITDRO several\nchanges to the second corrective action, which it completed prior to us issuing this report.\n\nCorrective actions for the Technical Assessment component are being\nadequately completed\nThe Technical Assessment component contains four corrective actions, and its original closure\ndate has been extended from October 2010 to July 2011. Due to the ITDRO expanding the scope\nof its original corrective action, in September 2010, the Associate Chief Information Officer,\nCybersecurity, executive owner of the disaster recovery material weakness, granted the ITDRO\nan extension to July 2011. The previous work efforts have expanded from a computing center\nfocus to include campus assets. The expansion also takes into consideration people, processes,\nand technology considerations in a disruption or disaster. The corrective actions the IRS\ncompleted during the time of our audit fieldwork are being adequately completed.\n\n                                                                                          Page 11\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nCorrective Action 1 \xe2\x80\x93 Perform annual system risk assessments.\nThe ITDRO conducts ongoing system risk assessments while other IRS programs perform\nannual as well as ongoing system risk assessments. Examples of these activities include, but are\nnot limited to: annual Federal Information Security Management Act reviews including\ncertification and accreditations, the enterprise continuous monitoring program, the disaster\nrecovery plan testing program, ongoing system vulnerability assessments and scans, penetration\ntesting and source code analysis, the Critical Infrastructure Protection program, and ongoing\ndisaster recovery business impact and technical assessments.\nCorrective Action 2 \xe2\x80\x93 Develop a true redundancy and resiliency analysis. Based on the critical\nbusiness processes, develop site-based restoration vulnerabilities analysis.\nThe ITDRO began its efforts to develop a true redundancy and resiliency analysis with the\nMartinsburg Business Resiliency Analysis in 2009. The analysis focused on a disaster scenario\nat the Enterprise Computing Center (ECC) in Martinsburg, West Virginia, and the ability to\nrecover the functionality of impacted applications and restore related critical business processes\nat the ECC in Memphis, Tennessee. The analysis identified deficits between ECC-Martinsburg\nand ECC-Memphis capabilities. For example, recovery times at ECC-Memphis for 15 key\nECC-Martinsburg systems ranged from 3 days to more than 60 days and that other systems could\nnot be recovered at ECC-Memphis. Subsequent infrastructure improvements during Fiscal\nYear 2010 identified in the infrastructure spend plan have resulted in reductions in the initial\napplication recovery times down to the 5\xe2\x80\x937 day range. Since the initial ECC-Martinsburg\nanalysis, the ITDRO has established the Disaster Recovery Capability Analysis to complete the\nanalysis of applications supporting critical business processes at the computing centers and\nnon-computing center locations. Through this project, the ITDRO is identifying and\nimplementing IT technologies to further reduce the restoration times to hours based on business\nrequirements.\nCorrective Action 3 \xe2\x80\x93 Create a recovery point objective and recovery time objective analysis and\ngain concurrence from both the Business Operating Divisions and the MITS organization.\nThe analysis of recovery point and recovery time objectives is still in progress and has a target\ncompletion date of June 2011. As part of the business impact analysis workshops, each business\nunit was provided their specific recovery point and recovery time objectives for their review and\napproval. The Disaster Recovery Capability Analysis targeted for completion in June 2011 will\nprovide the business units with more accurate information about current infrastructure\ncapabilities and the time required to recover applications.\nAs of February 2011, the ITDRO has established the following recovery times for 97 of the\n162 applications that support the critical business processes. The 97 applications include\n44 (68 percent) of the 65 applications that support the top 2 critical business processes of returns\nand remittance processing.\n\n\n                                                                                            Page 12\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\n   \xe2\x80\xa2   24 percent (23 applications) in 3 days or less.\n   \xe2\x80\xa2   25 percent (24 applications) in 3\xe2\x80\x935 days.\n   \xe2\x80\xa2   12 percent (12 applications) in 6\xe2\x80\x9329 days.\n   \xe2\x80\xa2   39 percent (38 applications) in 30 days or more.\nThe Business Operating Divisions will use the Capability Analysis information to reevaluate\ntheir recovery time objectives to better align with technical capabilities or to consider providing\nfunding for infrastructure improvements that will result in recovery times that meet their\nbusiness needs.\nCorrective Action 4 \xe2\x80\x93 Incorporate a technical assessment tool that will provide an infrastructure\nimpact analysis in the event of a disaster.\nTo accomplish this corrective action, the ITDRO is deploying a web-based system, the Toolkit\nSuite with Command Centre (TSCC). The TSCC system is a decision-support tool and plan\nrepository for disaster recovery. When a disaster occurs, the tool (when fully implemented) will\nidentify the people, processes, and systems that have been impacted. It will provide critical\ninformation for decision making during disaster events and exercises, identify restoration\npriorities, and determine the disaster recovery plans that should be activated. Its contents will\nserve as the sole source for recovering, relocating, or rebuilding IRS business processes and\nsupporting systems. This tool will be synchronized with and receive employee data from\npersonnel and timekeeping systems, as well as systems, hardware, and server data from IT\ninventory systems.\nThe TSCC is a multi-modular system that will be implemented in phases. Full implementation is\nexpected by Fiscal Year 2013. Currently, disaster recovery plans, incident management plans,\nand evacuation plans have been loaded into the system and it has been used in the most recent\ndisaster recovery tests at the computing centers. At present, there are about 3,000 TSCC users\nacross the IRS.\nManagement Action: During the course of the audit, we recommended a change to the ITDRO\nfor the first corrective action, which it completed prior to us issuing this report.\n\nRecommendation\nRecommendation 1: The Chief Technology Officer should ensure that the capability is\ndeveloped to track the disaster recovery training of employees with disaster recovery roles and\nresponsibilities.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The IRS\n       plans to develop a formal process and monitoring system to track the completion of\n\n\n                                                                                            Page 13\n\x0c                      Corrective Actions to Address the Disaster Recovery\n                            Material Weakness Are Being Completed\n\n\n\n       disaster recovery training by employees who have disaster recovery roles and\n       responsibilities.\n\nImprovements Are Needed in the Corrective Actions for the Metrics\nComponent of the Disaster Recovery Material Weakness\nThe IRS is in the process of developing its corrective action for the Metrics component and\nexpects to close it by December 2011. Improvements to corrective actions are needed for\nmetrics the IRS is developing for each component, except for the Disaster Recovery Plan Test\nand Exercise component.\nCorrective Action 1 \xe2\x80\x93 Establish and maintain collection and reporting of metrics to assess\nprogress and track improvements in all component activity implementations over time.\nThe IRS provided us with its ongoing operational metrics and planned metrics. These metrics\nare designed to report on the various activities within the ITDRO for a given reporting period.\nHowever, the IRS does not have metrics specifically designed to assess progress and track\nimprovements in the following five components of the disaster recovery material weakness over\ntime.\n   \xe2\x80\xa2   Policy component.\n   \xe2\x80\xa2   Business Impact Analysis component.\n   \xe2\x80\xa2   Disaster Recovery Compliance component.\n   \xe2\x80\xa2   Disaster Recovery Plans component.\n   \xe2\x80\xa2   Technical Assessment component.\nFor the Policy component, the IRS did not have metrics for the corrective action on conducting\noutreach and awareness sessions. For the corrective action on developing an enterprise-wide\ndisaster recovery course curriculum, while the IRS has some metrics on disaster recovery courses\ncreated, courses delivered by the ITDRO, and attendance, it did not have metrics on the\npercentage of employees with disaster recovery responsibilities that attended any of the available\nIRS courses, not just courses developed by the ITDRO. This is an all-encompassing metric that\nmeasures the extent appropriate employees attend training.\nFor the Business Impact Analysis component, the IRS had a metric for the number of systems\nwith a business impact analysis, but a more meaningful metric would be the percentage of\nsystems with a completed business impact analysis. For the corrective action on gap analyses,\nmetrics are needed, such as the percentage of systems that can be recovered within recovery time\nrequirements, the percentage of systems that can be recovered slightly beyond recovery time\nrequirements, and the percentage of systems that can be recovered significantly beyond recovery\ntime requirements.\n\n                                                                                          Page 14\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nFor the Disaster Recovery Compliance component, the IRS had a metric for the targeted and\nactual number of reviews planned and the percentage of targeted reviews achieved. Metrics\ncould be created for the number and percentage of compliance audits planned and completed and\nfor the percentage of recommendations and corrective actions that have been implemented.\nFor the Disaster Recovery Plans component, the IRS had the following metrics for the corrective\naction on the development and maintenance of disaster recovery plans:\n   \xe2\x80\xa2   The targeted number and actual number of disaster recovery plans reviewed as part of\n       annual Certification and Accreditation.\n   \xe2\x80\xa2   The percentage of targeted disaster recovery plan reviews achieved.\n   \xe2\x80\xa2   The targeted number and actual number of disaster recovery plans completed.\n   \xe2\x80\xa2   The percentage of targeted disaster recovery plans completed.\n   \xe2\x80\xa2   The total number of disaster recovery plans reviewed and updated for the current Federal\n       Information Security Management Act cycle.\n   \xe2\x80\xa2   The percentage of disaster recovery plans written for critical systems.\nAdditional metrics for this corrective action could include:\n   \xe2\x80\xa2   The percentage of general support systems that have a disaster recovery plan.\n   \xe2\x80\xa2   The percentage of applications that have a disaster recovery plan.\nFor the corrective action on establishing and maintaining data and processing backup-recovery\ncapabilities, metrics are needed, such as the percentage of systems that have established and\nsuccessfully tested data backup-recovery capability and the percentage of systems that have\nestablished and successfully tested processing backup-recovery capability. In addition, for the\nTechnical Assessment component, metrics are needed to measure the extent to which each of the\ncorrective actions has been completed and the results that each has achieved.\nThe IRS needs to develop more specific metrics on the five components as it continues its work\non this corrective action. The creation of metrics to assess progress and track improvements in\ncomponents of the disaster recovery material weakness is required by the IRS Computer Security\nMaterial Weakness Action Plan. In addition, NIST SP 800-55 provides guidelines on how\nmetrics can be used to determine the adequacy of in-place security controls, policies, and\nprocedures. NIST SP 800-55 can be used to develop, select, and implement system-level and\nprogram-level metrics to indicate the implementation, efficiency, effectiveness, and impact of\nsecurity controls and other security-related activities.\nNIST SP 800-55 states that metrics are usually expressed as percentages and averages and that\nthe process being measured must be measureable, consistent, and repeatable. One specific type\nof metric cited by NIST, implementation metrics, are metrics used to demonstrate progress in\n\n                                                                                        Page 15\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nimplementing security programs, such as the percentage of systems that have approved system\nsecurity plans. The IRS could use implementation metrics to measure the extent to which the\ncorrective actions have been completed.\nThe IRS is still in the process of developing corrective actions for establishing and maintaining\nmetrics. Improved metrics will help to facilitate decision making, improve performance, and\nincrease accountability related to the completion of the disaster recovery corrective actions.\n\nRecommendation\nRecommendation 2: The Chief Technology Officer should ensure that metrics specifically\ndesigned to assess progress and track improvements in completing the corrective actions of five\ncomponents of the disaster recovery material weakness over time are developed using guidance\ncontained in NIST SP 800-55.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The IRS\n       plans to design metrics using NIST SP 800-55 to assess the progress of the disaster\n       recovery program.\n\n\n\n\n                                                                                           Page 16\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the IRS\xe2\x80\x99s corrective actions for addressing\nits disaster recovery material weakness. To accomplish our objective, we:\nI.     Evaluated the effectiveness of corrective actions taken on completed components of the\n       disaster recovery material weakness.\n       A. For the Policy component, we:\n           1. Determined whether IRS disaster recovery manuals were complete and consistent\n              with Federal requirements and guidance.\n           2. Reviewed the frequency and scope of outreach and awareness sessions that the\n              IRS conducted to help move the manuals into day-to-day operations.\n           3. Determined whether IRS disaster recovery course curriculum sufficiently covered\n              the range of elements comprised in a disaster recovery program.\n       B. For the Business Impact Analysis component, we:\n           1. Reviewed the process used by the IRS to develop a prioritized list of critical\n              systems.\n           2. Determined whether the IRS completed its site-based restoration priority\n              documents.\n           3. Reviewed the process used by the IRS to conduct restoration gap analyses.\n           4. Reviewed the IRS\xe2\x80\x99s analysis of Business Operating Division and MITS\n              organization recovery time objectives.\n           5. Reviewed the IRS\xe2\x80\x99s spend plan for reducing recovery times.\n       C. For the Disaster Recovery Plan Test and Exercise component, we:\n           1. Determined whether IRS baseline expectations, requirements, and templates were\n              complete and consistent with Federal requirements and guidance.\n           2. Determined whether the IRS had a complete set of disaster recovery roles and\n              responsibilities.\n           3. Determined whether the frequency and types of testing required by the IRS and\n              IRS reporting requirements were complete and consistent with Federal\n              requirements.\n                                                                                          Page 17\n\x0c                            Corrective Actions to Address the Disaster Recovery\n                                  Material Weakness Are Being Completed\n\n\n\n               4. Determined whether the IRS conducted appropriate annual exercises and tests for\n                  all Federal Information Security Management Act systems.\nII.        Evaluated the effectiveness of corrective actions taken to date on open components of the\n           disaster recovery material weakness.\n           A. For the Disaster Recovery Compliance component, we evaluated the plans,\n              procedures, and methods that the IRS will be using to conduct an internal disaster\n              recovery compliance program.\n           B. For the Disaster Recovery Plans component, we:1\n               1. Determined whether the IRS had prepared and maintained disaster recovery plans\n                  for all Federal Information Security Management Act systems using IRS plan\n                  templates.\n               2. Determined whether the IRS established and maintained data and processing\n                  backup-recovery capability.\n               3. Reviewed the process used to establish and maintain whether recovery capability\n                  and outage times meet objectives.\n           C. For the Technical Assessment component, we:\n               1. Determined whether the IRS performed annual risk assessments.\n               2. Reviewed the IRS\xe2\x80\x99s process for developing a true redundancy and resiliency\n                  analysis.\n               3. Determined whether the IRS developed a site-based restoration vulnerability\n                  analysis.\n               4. Determined whether concurrence was obtained from both the MITS organization\n                  and Business Operating Divisions on recovery objectives.\n               5. Determined how the IRS plans to use an application or tool it procured that assists\n                  in assessing and responding to a disaster.\n           D. For the Metrics component, we determined whether the IRS had developed\n              appropriate metrics for assessing and tracking progress in completing its corrective\n              actions.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\n\n1\n    This component was open when we performed the audit, but is now closed.\n                                                                                             Page 18\n\x0c                       Corrective Actions to Address the Disaster Recovery\n                             Material Weakness Are Being Completed\n\n\n\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Cybersecurity organization\xe2\x80\x99s policies,\nprocedures, and practices for addressing the disaster recovery material weakness. We evaluated\nthese controls by interviewing staff of the Cybersecurity organization and by reviewing the\ncorrective actions being taken to address the components of the material weakness.\n\n\n\n\n                                                                                           Page 19\n\x0c                     Corrective Actions to Address the Disaster Recovery\n                           Material Weakness Are Being Completed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nDanny Verneuille, Director\nCarol Taylor, Audit Manager\nJoan Bonomi, Senior Auditor\nRichard Borst, Senior Auditor\nStasha Smith, Senior Auditor\nKasey Koontz, Auditor\n\n\n\n\n                                                                                     Page 20\n\x0c                   Corrective Actions to Address the Disaster Recovery\n                         Material Weakness Are Being Completed\n\n\n\n                                                                 Appendix III\n\n                       Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nDirector, Security Risk Management OS:CTO:C:SRM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                         Page 21\n\x0c                    Corrective Actions to Address the Disaster Recovery\n                          Material Weakness Are Being Completed\n\n\n\n                                                                           Appendix IV\n\n   National Institute of Standards and Technology\n                     Publications\n\nNIST Special Publication 800-12, An Introduction to Computer Security: The NIST\nHandbook\nNIST Special Publication 800-16, Information Security Training Requirements: A Role- and\nPerformance-Based Model (Draft)\nNIST Special Publication 800-34, Contingency Planning Guide for Federal Information\nSystems\nNIST Special Publication 800-37, Guide for Applying the Risk Management Framework to\nFederal Information Systems\nNIST Special Publication 800-50, Building an Information Technology Security Awareness\nand Training Program\nNIST Special Publication 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations\nNIST Special Publication 800-55, Performance Measurement Guide for Information Security\nNIST Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT\nPlans and Capabilities\nNIST Special Publication 800-115, Technical Guide to Information Security Testing and\nAssessment\n\n\n\n\n                                                                                    Page 22\n\x0c                     Corrective Actions to Address the Disaster Recovery\n                           Material Weakness Are Being Completed\n\n\n\n                                                                           Appendix V\n\n                              Glossary of Terms\n\n               Term                                     Definition\n\nCampus                            The data processing arm of the IRS. The campuses\n                                  process paper and electronic submissions, correct\n                                  errors, and forward data to the Computing Centers for\n                                  analysis and posting to taxpayer accounts.\nCertification and Accreditation   A comprehensive assessment of the management,\n                                  operational, and technical security controls in an\n                                  information system, made in support of security\n                                  accreditation, to determine the extent to which the\n                                  controls are implemented correctly, operating as\n                                  intended, and producing the desired outcome with\n                                  respect to meeting the requirements for the system.\nCybersecurity Organization        Manages the IRS\xe2\x80\x99s IT Security program. It is\n                                  responsible for ensuring compliance with Federal\n                                  statutory, legislative, and regulatory requirements\n                                  governing measures to assure the confidentiality,\n                                  integrity, and availability of IRS electronic systems,\n                                  services, and data. It is within the MITS organization.\nEnd-to-End Testing                Testing that involves recovering applications and\n                                  systems at the recovery location using the production\n                                  environment.\nEnterprise Computing Centers      IRS sites that support tax processing and information\n                                  management through a data processing and\n                                  telecommunications infrastructure.\nFederal Managers\xe2\x80\x99 Financial       Requires each Federal agency to conduct annual\nIntegrity Act of 1982             evaluations of its systems of internal accounting and\n                                  administrative control. Each agency is also required\n                                  to prepare an annual report for Congress and the\n                                  President that identifies material weaknesses and the\n                                  agency\xe2\x80\x99s corrective action plans and schedules.\n\n\n\n                                                                                   Page 23\n\x0c                    Corrective Actions to Address the Disaster Recovery\n                          Material Weakness Are Being Completed\n\n\n\n\n               Term                                          Definition\n\nFunctional Exercises                  Exercises in which recovery personnel execute their\n                                      roles in a simulated operational environment.\n                                      Functional tests involve retrieving, loading, and\n                                      validating backup tapes and files.\nMaterial Weakness                     Internal accounting and administrative control\n                                      deficiencies in operations or systems that, among\n                                      other things, severely impair or threaten the\n                                      organization\xe2\x80\x99s ability to accomplish its mission or to\n                                      prepare timely, accurate financial statements or\n                                      reports.\nModernization and Information         The IRS organization that delivers IT services and\nTechnology Services                   solutions which drive effective tax administration to\n                                      ensure public confidence.\nNational Institute of Standards and   A part of the Department of Commerce that is\nTechnology                            responsible for developing standards and guidelines\n                                      for providing adequate information security for all\n                                      Federal Government agency operations and assets.\nOffice of Management and Budget       The office within the Executive Office of the\n                                      President that helps executive departments and\n                                      agencies implement the commitments and priorities of\n                                      the President.\nRecovery Point Objective              The point in time, prior to a disruption, that data can\n                                      be recovered.\nRecovery Time Objective               The maximum amount of time a system can remain\n                                      unavailable before there is an unacceptable impact on\n                                      other systems or supported business processes.\nResiliency                            The ability to quickly adapt and recover from any\n                                      known or unknown changes to the environment.\n                                      Resiliency is not a process, but rather an end-state for\n                                      organizations. The goal of a resilient organization is\n                                      to continue mission-essential functions at all times\n                                      during any type of disruption.\n\n\n\n\n                                                                                         Page 24\n\x0c                     Corrective Actions to Address the Disaster Recovery\n                           Material Weakness Are Being Completed\n\n\n\n\n              Term                                      Definition\n\nTabletop Exercises                Exercises that are discussion-based and take place in a\n                                  classroom setting. Participants use disaster recovery\n                                  plans to discuss how they would respond to a\n                                  disruption scenario.\n\n\n\n\n                                                                                   Page 25\n\x0c      Corrective Actions to Address the Disaster Recovery\n            Material Weakness Are Being Completed\n\n\n\n                                                  Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                            Page 26\n\x0cCorrective Actions to Address the Disaster Recovery\n      Material Weakness Are Being Completed\n\n\n\n\n                                                      Page 27\n\x0c'